-----Original Message-----
From: snort-sigs-bounces@lists.sourceforge.net
[mailto:snort-sigs-bounces@lists.sourceforge.net] On Behalf
Of Lutz Schildt
Sent: Monday, August 07, 2006 11:52 AM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] Loopback Traffic from and to non Loopback-IP
Hi everyone,
I just had Snort alering me about this:
#(1 - 6417) [2006-08-07 10:03:53] [local/150] [snort/150] (snort
decoder) Bad Traffic Loopback IP
IPv4: 72.30.*.* -> 195.90.*.*
TCP: port=* -> dport: * chksum=0
Payload: length = 195
000 : 47 45 54 20 2F 72 6F 62 6F 74 73 2E 74 78 74 20
GET /robots.txt
010 : 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20
HTTP/1.0..Host:
It's valid HTTP traffic, why would snort tell me it's Bad
Loopback Traffic? It's the first time in about 4 years of
snort that this happened. Is it maybe because chksum=0?
Since 127.0.0.1 isn't involved in this packet, I would suggest MAYBE
that snort has lost some packets.
Run SIGUSR1 on snort, look at logs for statistics and see if you can see
snort missing traffic.
If it does, try to upgrade/update, modify, change.
(google for help, many many reasons, depending on os, config, etc)
--
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Take a vacation from spam: up to 25% off of SpammerTrap anti-spam
gateway
http://www.spammertrap.com/vacation
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
